On new hardware, the Windows 8 secure boot feature will prevent the booting of …

Share this story

PC users who run Windows and Linux on the same machine will want to do some research before purchasing a Windows 8 computer. That's because systems with a "Designed for Windows 8" logo must ship with UEFI secure booting enabled—a move that prevents booting operating systems that aren’t signed by a trusted Certificate Authority.

This could pose a problem for Linux users, though in practice most can just change UEFI settings to disable secure boot before installing the open-source OS. But users will have to depend on hardware vendors to make this option possible in the first place.

Disabling secure boot

“Microsoft requires that machines conforming to the Windows 8 logo program and running a client version of Windows 8 ship with secure boot enabled,” Red Hat developer Matthew Garrett writes on his blog in reference to a recent presentation by Microsoft program manager Arie van der Hoeven. The Microsoft exec notes that UEFI and secure boot are “required for Windows 8 client” with the result that “all firmware and software in the boot process must be signed by a trusted Certificate Authority.”

Microsoft has a good reason for this. A “growing class of malware targets the boot path [and] often the only fix is to reinstall the operating system,” van der Hoeven said. “UEFI and secure boot harden the boot process [and] reduce the likelihood of bootkits, rootkits and ransomware.”

Importantly, though, Garrett writes that “there’s no indication that Microsoft will prevent vendors from providing firmware support for disabling this feature and running unsigned code.”

For many (and hopefully most) Windows 8 machines, this means that users have a good chance of successfully entering the UEFI settings interface to turn off secure boot. But this will depend on the hardware vendor.

“Experience indicates that many firmware vendors and OEMs are interested in providing only the minimum of firmware functionality required for their market,” Garrett writes. “It's almost certainly the case that some systems will ship with the option of disabling this. Equally, it's almost certainly the case that some systems won't. It's probably not worth panicking yet. But it is worth being concerned.”

Technically, vendors can ship Windows 8 PCs without meeting Microsoft's "designed for Windows 8" logo requirements, but major OEMs typically would not do that.

The Windows 8 developer tablet Microsoft handed out at this month’s BUILD conference did include the ability to turn off the secure boot process. This is reminiscent of Google’s Cr-48 Chromebook, which allowed users to turn off the Verified Boot process and install another operating system, though this involved flipping a physical switch instead of changing a software setting.

A signed OS

Besides disabling the Windows 8 secure boot process, another option for Linux lovers is installing a signed version of Linux. But “this poses several problems,” Garrett notes. “Firstly, we'd need a non-GPL bootloader. Grub 2 is released under the GPLv3, which explicitly requires that we provide the signing keys. Grub is under GPLv2 which lacks the explicit requirement for keys, but it could be argued that the requirement for the scripts used to control compilation includes that. It's a grey area, and exploiting it would be a pretty good show of bad faith. Secondly, in the near future the design of the kernel will mean that the kernel itself is part of the bootloader. This means that kernels will also have to be signed. Making it impossible for users or developers to build their own kernels is not practical. Finally, if we self-sign, it's still necessary to get our keys included by every OEM.”

Current machines dual-booting Windows 7 and Linux should be able to upgrade to Windows 8 without wiping out the Linux install. As Microsoft notes in the Building Windows 8 blog, “We will continue to support the legacy BIOS interface.” However, machines using UEFI instead of BIOS “will have significantly richer capabilities” including faster boot times and greater security.

Ultimately, the Windows 8 changes aren’t likely to wipe out Linux dual-boot scenarios, but they could restrict the types of hardware that will allow them. PC users who would boot two operating systems tend to be highly technical, though, so we expect they’ll find the necessary workarounds.

378 Reader Comments

a) It won't just complicate windows installs. It will complicate BSD installs (and HaikuOS, ReactOS, etc).b) It will also complicate installation of malwarec) The linux people screwed themselves with the GPLv3

I am honestly not a fan of Windows 8 in general so will probably stick with my Win 7 and Ubuntu combo and keep my tablet life on Android. This will be worth keeping an eye on just to see where it takes things with the future of Linux.

I don't know about OEM board makers, but you can bet that all standalone motherboard makers that move to UEFI for their boot process will be quite happy to have that as a boot option. There's too much overlap in the build-your-own and linux communities not to cater to that need.

"This is reminiscent of Google’s Cr-48 Chromebook, which allowed users to turn off the Verified Boot process and install another operating system, though this involved flipping a physical switch instead of changing a software setting."

I think Google actually requires that all Chromebooks have this switch. You can buy any Chromebook without worrying about whether you'll be able to load unsigned code. Microsoft could put the same requirement in their logo program, but I have a feeling they won't =]

If you are going to run a DIY OS you should build a DIY computer. I mean... you aren't going to get a $BrandName$ with Win 8 OEM preloaded just to wipe it and install Linux, will you? No. Get a gaming motherboard with no secure anything and run Linux.

Who was that "unimpressed" by an unreleased OS? Weren't you the one a few years back saying the same thing about Win 7 and vowing to stick with XP forever and ever? History always repeats itself with these things. People don't like change. Nerds don't like change even more.

I'm only somewhat on the fence about this; I do enjoy dual-booting my systems from time to time, but I'm also rather appreciative that Microsoft is taking some action to secure the boot path. Those with any serious proclivity for dual-booting will be more than up to the task of working around/circumventing this system

I also suspect that the vendors who offer the option to disable secure boot will see noticeably greater sales, and it won't be long before the option is ubiquitous. Basically, no problem beyond the very short term.

Seems like the GRUB issue is the least important of the issues. It doesn't sound that hard to roll a GRUB-workalike (or better) that adheres to a BSD license, and from there to a signed booter. I'm not familiar with FreeBSD, but perhaps a suitable replacement already exists. Certainly something could be worked out before it turned into a serious problem.

Frankly, I also doubt that alternative OSes are going to generally get locked out. This strikes me as a greater shot across the bow at those who might "unlock" a Windows 8 tablet.

I haven't yet played with UEFI boards, but just looking at the hoopla over the corrupted certificates issued by the CA in Northern Europe that allowed people to intercept HTTPS connctions, how long will it take for someone to fake out a UEFI BIOS with a fake certificate? Or to leak the key to a certificate so that anyone can sign their OS and have it boot?

Just look at the leaked BlueRay DVD key, the deCSS issue, etc.

If there's a required key, it won't be too long before it's leaked and the cat is out of the bag yet again.

Linux users might still be able to dual boot in "legacy BIOS mode", but what is a bit more scary about this is that this sounds very much like "secure computing" concept. If OS is able to check that it is running on signed hardware, it will be possible to build a new generation of DRM, that will only allow to play content on signed hardware platforms. This gives copyright authorities a LOT of potential control over the media played on future computers.

I know one Ubuntu user who has an old Dell server that he picked up 2nd hand really cheap, but I'd guess this won't affect more than 5% of Linux/BSD users. I can't imagine any company that sells boxed motherboards not letting users turn off secure boot.

Who was that "unimpressed" by an unreleased OS? Weren't you the one a few years back saying the same thing about Win 7 and vowing to stick with XP forever and ever? History always repeats itself with these things. People don't like change. Nerds don't like change even more.

I was impressed by XP, even so impressed that I survived it hanging every two hour of uptime on me. I was impressed by Vista, even so impressed that I made it my primary OS on launch and survived the lack of good drivers for many of my devices for months. I was extremely impressed of 7, making it my primary operating system from the public Beta and onward. I am not impressed by 8, unless we count the extremely sexy Task Manager.

If you are going to run a DIY OS you should build a DIY computer. I mean... you aren't going to get a $BrandName$ with Win 8 OEM preloaded just to wipe it and install Linux, will you? No. Get a gaming motherboard with no secure anything and run Linux.

Microsoft has a good reason for this. A “growing class of malware targets the boot path [and] often the only fix is to reinstall the operating system,” van der Hoeven said. “UEFI and secure boot harden the boot process [and] reduce the likelihood of bootkits, rootkits and ransomware.”

There are only two ways to install malware in the boot path: boot from something that installs it or compromise a running system. Malware which requires booting from compromised media can not spread quickly because booting from external media only happens when the user means to install an OS.

So what Microsoft is indirectly saying here is that they cannot secure the running system against attacks on the boot loader and kernel and their solution is to have the motherboard check the boot loader's signature before running it, and have that boot loader check the kernel's signature, etc.

Do you really want to run an operating system whose vendor has confessed that they cannot prevent user space from taking over your boot loader?

So far, I just don't see a compelling reason to switch to 8 when it's released. I don't care either way. Win 7 is the first MS OS I've ever explicitly paid for; every other Windows I've installed came with a laptop or something.

However, if it impedes my ability to load whatever I want, on whatever I want, whenever I want...I'm going to be pissed.

Right now, though, I'm just debating if burning the eval ISOs I got from MS is worth my time.

Who was that "unimpressed" by an unreleased OS? Weren't you the one a few years back saying the same thing about Win 7 and vowing to stick with XP forever and ever? History always repeats itself with these things. People don't like change. Nerds don't like change even more.

I was impressed by XP, even so impressed that I survived it hanging every two hour of uptime on me. I was impressed by Vista, even so impressed that I made it my primary OS on launch and survived the lack of good drivers for many of my devices for months. I was extremely impressed of 7, making it my primary operating system from the public Beta and onward. I am not impressed by 8, unless we count the extremely sexy Task Manager.

Yep that's how it was for me as well. I honestly have different machines that run each of them for different reasons. Just because someone says they don't like Windows 8 doesn't mean they were the XPaholic that refused change. Change is a good thing in moderation however, I think to expect Windows 8 to replace Windows 7 is a bit far fetched as Windows 7 is quite stable and still has a future. I view windows 8 more as a tablet based OS more than something I would put on a desktop. I would try it on a tablet but wouldn't give up 7 for it on my PCs

You'd have thought it would be possible to enable secure boot on certain boot devices but not on others.

I can see this being enabled and enforced on corporate machines, with consumer machines and motherboards being sold with a BIOS / UEFI switch to disable Secure Boot mode.

I also see all this furore being a total and complete non-event. Anyone who knows enough to care will be able to get a machine that won't stop them installing Linux. Anyone who buys a pre-installed Win8 machine almost certainly won't care that they can't put Linux on it.

Given where computing is going in terms of power, I'd say it is safe to say your mainstream PC that will be UEFI enabled will have 4GB RAM and at least a dual core.

So why are we bothering with dual boot? Virtualize and prosper! Dual boot was a solution for the problem of needing to use windows and linux together. It was a solution, but the only available solution at the time; and hyper-v/vmware let you have your cake and eat it too.

This is a case of worrying that the horse might might get out of the barn. If the 'Nix/BSD folks can't solve this one by the time Win 8 is released to the manufacturers, they aren't trying hard enough. You can probably solve it right now with the free EasyBCD app.

If you are going to run a DIY OS you should build a DIY computer. I mean... you aren't going to get a $BrandName$ with Win 8 OEM preloaded just to wipe it and install Linux, will you? No. Get a gaming motherboard with no secure anything and run Linux.

And for people who would like a laptop?

Simple, get one of those DIY lapt....oh.

In seriousness, though, plenty of people do wind up dual-booting on OEM hardware. I had a cheap refurb Dell I dual-booted on for years; the hardware was all compatible, it was priced well, and it did everything I needed it to. And I imagine there are at least a few people who might be interested in some of the small/odd form factor options that OEMs put out. Really, if you shop deals and do a little research some OEM systems can be a pretty good value.

I say if you're going to run a DIY OS on a DIY computer you should do it on DIY silicon, on a DIY PCB. At the very least, code your own microprocessor in VHDL on an FPGA. Be a man. Oh, and code your own OS, too.

Why exactly does Windows 8 need this signed-boot option to provide security when Linux, BSD, Mac and every other OS has provided better security without it?

Those OS's got around the problem by avoiding the dreaded "popularity" and "ubiquity" of Windows, so it not persued nearly as hard as an attack vector.

Any OS that uses a real-mode bootstrap process is vulnerable to unaproved code being injected and taking over, regardless of your religious concern about its inherent superiority. The fact that it is not exploited is a reflection on the user base and attractiveness as a target as anything else. Code signing enforced from the firmware simply cuts that path off. You can make snarky comments all you want, but it will virtually always be safer than a system that runs any arbitary code and presumes a perfect fence around that code.

Microsoft has a good reason for this. A “growing class of malware targets the boot path [and] often the only fix is to reinstall the operating system,” van der Hoeven said. “UEFI and secure boot harden the boot process [and] reduce the likelihood of bootkits, rootkits and ransomware.”

There are only two ways to install malware in the boot path: boot from something that installs it or compromise a running system. Malware which requires booting from compromised media can not spread quickly because booting from external media only happens when the user means to install an OS.

So what Microsoft is indirectly saying here is that they cannot secure the running system against attacks on the boot loader and kernel and their solution is to have the motherboard check the boot loader's signature before running it, and have that boot loader check the kernel's signature, etc.

Do you really want to run an operating system whose vendor has confessed that they cannot prevent user space from taking over your boot loader?

Right, because we should instead be using one of the many widely-used general-purpose operating systems that has never suffered a privilege escalation vulnerability.

Some do, some don't. There are plenty of us who regularly install the latest Ubuntu or Windows dev preview on a VM or partition simply for something to tinker and play with. Change is inevitable and I like finding the things I like about new software and giving myself time to adapt to or circumvent things I like less.

Is this something that can be configured as the time of purchase? Change a radio button from "Secure hardware OS" to "Allow 3rd party OS installations" ? Stupid consumers would just skip over it and people who actually care about linux could get what they want (besides having to buy through dell/hp/lenovo/sony to get a custom build)?

I have tested this OS for 1 hour and I have got to say it is the worst. Apparently Microshaft doesn't agree with the file systems that Linux supports. I was dual booting Ubuntu with XP. Ubuntu was running great and so was XP, but the moment Windows developer preview came in, it completely thrashed my SATA drive. Boy was I in great disappointment. Although it is an OS made to be installed on tablet PC's I will never let this crapware enter my house again. Windows 7 is enough for me and will stay that way. /failclap to Microshaft.

a) It won't just complicate windows installs. It will complicate BSD installs (and HaikuOS, ReactOS, etc).b) It will also complicate installation of malwarec) The linux people screwed themselves with the GPLv3

I haven't yet played with UEFI boards, but just looking at the hoopla over the corrupted certificates issued by the CA in Northern Europe that allowed people to intercept HTTPS connctions, how long will it take for someone to fake out a UEFI BIOS with a fake certificate? Or to leak the key to a certificate so that anyone can sign their OS and have it boot?

Just look at the leaked BlueRay DVD key, the deCSS issue, etc.

If there's a required key, it won't be too long before it's leaked and the cat is out of the bag yet again.

John

I think you are missing the point. It isn't meant to only have certain OSes run, it's to make sure that whatever OS is installed, that nothing is injected into the process by another entity.

If implemented correctly, the trusted certificate authority list should be modifiable.